An Exact Quantum Polynomial-Time Algorithm for Simon's Problem 
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Abstract 

We investigate the power of quantum computers when 
they are required to return an answer that is guaranteed to 
be correct after a time that is upper-bounded by a poly- 
nomial in the worst case. We show that a natural gen- 
eralization of Simon 's problem can be solved in this way, 
whereas previous algorithms required quantum polynomial 
time in the expected sense only, without upper bounds on the 
worst-case running time. This is achieved by generalizing 
both Simon's and Grover's algorithms and combining them 
in a novel way. It follows that there is a decision problem 
that can be solved in exact quantum polynomial time, which 
would require expected exponential time on any classical 
bounded-error probabilistic computer if the data is supplied 
as a black box. 



1 Introduction 

According to the modern version of the Church-Turing 
thesis, anything that can be computed in polynomial time on 
a physically realisable device can be computed in polyno- 
mial time on a probabilistic Turing machine with bounded 
error probability. This belief has been seriously chal- 
lenged by the theory of quantum computing. In particular, 
Simon [|l8|] provided the first example of a problem that can 
be solved in polynomial time on a quantum computer, yet 
any classical bounded-error probabilistic algorithm would 
require exponential time if the data is supplied as a black 
box. However, Simon's algorithm is polynomial-time in 
the expected sense: there is no upper bound on how long 
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it may run on any given instance if it keeps being unlucky. 
(The same can be said about Shor's celebrated quantum fac- 
toring algorithm [[l7|.) 

In this paper, we address the issue of exact quantum 
polynomial time, which concerns problems that quantum 
computers can solve in guaranteed worst-case polynomial 
time with zero error probability. Note that this strong 
requirement would make randomness useless for classical 
machines: anything you can compute on a classical prob- 
abilistic computer with zero error probability in guaran- 
teed worst-case polynomial time can be done in polynomial 
time by a deterministic computer — simply run the proba- 
bilistic algorithm with an arbitrarily fixed sequence of coin 
"tosses". 

The study of exact quantum polynomial time is not new. 
The very first algorithm ever designed to demonstrate an 
advantage of quantum computers over classical comput- 
ers, due to Deutsch and Jozsa Jl4]], was of this exact na- 
ture. However, it solved a problem that could be han- 
dled just as efficiently with a classical probabilistic com- 
puter, provided an arbitrarily small (one-sided) error prob- 
ability is tolerated. Later, Bernstein and Vazirani provided 
a relativized problem that can be solved in exact quantum 
polynomial time, but not in time n°('°sn) qjj ^ny classi- 
cal bounded-error probabilistic machine [^. More recently, 
we constructed such a problem that would require exponen- 
tial time on any classical bounded-error probabilistic ma- 
chine [[TTl]. None of these problems were decision prob- 
lems. [ Here we recast Simon's problem in a natural group- 
theoretic framework, we generalize it, and we give an exact 
quantum polynomial-time algorithm to solve it. This pro- 
vides the first evidence of an exponential gap between the 
power of exact quantum computation and that of classical 
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' 11^ Deutsch-Jozsa problem gives rise to an oracle decision prob- 
lem P, p||- Also, in the soon-to-be-published journal version of their paper, 
Bernstein and Vazirani extend their result to a decision problem |5(] . 
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bounded-eiTor probabilistic computation, even for decision 
problems. 

Of independent interest are the techniques developed to 
obtain our results. Two of the most fundamental techniques 
discovered so far in the field of quantum computation are 
bimon 's [[l|] and Grover's Here, we generalize both 
techniques and we show for the first time that they can be 
made to work together toward a common goal: our algo- 
rithm crucially requires the availability of both these tools. 

In this paper, we shall use the term ^ QT^-algorithm 
(resp. QT'-algorithm) to denote an algorithm that runs in 
expected (resp. guaranteed worst-case) polynomial time on 
the quantum computer to solve an arbitrary problem. In par- 
ticular, Z QV (resp. QV) is the class of decision problems 
that allow a Z QT'-algorithm (resp. a QT'-algorithm).!^ 
To summarize our results, Simon gave a Z QT'-algorithm 
for his problem; we generalize it and give a QT'-algorithm. 
This allows for the construction of an oracle under which 
there is a decision problem in QV that would not only lie 
outside of the classical class BW — which was known al- 
ready [U — ^but that would require exponential time on any 
classical bounded-error probabilistic computer. 

2 Simon's subgroup problem 



We first state Simon's problem [|1S|]. Let n > 1 be any 
integer and R any set representable on a quantum computer. 
Let (®) : {0, 1}" X {0, 1}" ^ {0, 1}" denote the bitwise 
exclusive-or, written using infix notation. 

Given: An integer ti > 1 and a function p : {0, 1}" R. 

Promise: There exists a nonzero element s e {0, 1}" such 
that for all g,h e {0, 1}", p{g) = p{h) if and only if 
g = hoxg = h®s. 

Problem: Find s. 

We say of such a function p that li fulfills Simon's promise 
with respect to s. 

There is a nice group-theoretic interpretation and gener- 
alization for Simon's problem, and since that interpretation 
also helps simplify the notation, we shall use it. Hence, we 
reformulate Simon's problem as follows. 

Let Z2 = {0, 1} denote the additive group of two ele- 
ments with addition denoted by 0. For any given integer 
n > 1, let G denote the group (Z2,0). For any subset 
X Q G, let \X\ denote the cardinality of X and let {X) 
denote the subgroup generated by X. A subset X of a set Y 
is proper \f X ^ Y . A subset X C G is linearly indepen- 
dent in G if no proper subset of X generates {X) .If H ^ G 
is a subgroup then g G G is called a representative for the 
coset g Qj H. 

^ QV has been called SQV ("E" for Exact) by some authors M]. 



Define a bilinear map G x G ^ Z2 by 

n 

g ■ /i = (^ffi^i) mod2 (1) 

, /i„). For any 



i=i 



where g = {gi,.. .,gn) and h = {hi, 
subgroup H ^ G, let 

= {geG\g ■h = foraW he H} 



(2) 



denote the orthogonal subgroup of H. For any sub- 
groups K ^ H ^ G, let [H : K] denote the index of K 
in H, that is, the number of cosets of K in H. Note 
that, for all subgroups H ^ G, we have (H-^)-^ = H and 
\H-^\ = [G : H]. Using this terminology, we state the fol- 
lowing problem. 



Given: An integer n > 1 and a function p : G = Z2 



R. 



Promise: There exists a subgroup Hq ^ G such that p is 
constant and distinct on each coset of Hq. 

Problem: Find a generating set for Ho . 

We say of such a function p that li fulfills Simon's promise 
with respect to subgroup Hq. 

In Simon's original problem [|l8|], Hq is assumed to have 
order 2, that is, Hq — {0, s} for some s E G and the prob- 
lem is then to find s. We shall, however, in the rest of this 
paper, refer to the above problem as Simon 's subgroup prob- 
lem. Simon gave in [|l8|] a very simple and beautiful quan- 
tum algorithm for solving the subgroup problem. We now 
review the main ideas behind that algorithm, but we use a 
language which is rather different from Simon's. 

A first crucial observation is that, given a generating set 
for a subgroup, one can easily (classically or quantumly) 
deduce a generating set for its orthogonal subgroup. This 
fact is often used in coding theory: given the generator 
matrix of a binary linear code, it allows to compute the gen- 
erator matrix of its dual. We state this formally in Proposi- 
tions |l] and I below. 

Proposition 1 There exists a classical deterministic algo- 
rithm that, given a subset X C G — U^, returns a linearly 
independent subset of G that generates the subgroup (X). 
Moreover, the algorithm runs in time polynomial in n and 
linear in the cardinality of X. 

Proposition 2 There exists a classical deterministic 
algorithm that, given a linearly independent subset 
X G G = 7^2, returns a linearly independent subset of G 
that generates the orthogonal subgroup of (X). Moreover, 
the algorithm runs in time polynomial in n. 

From these two propositions, and since (H-^)-^ — H for 
all subgroups H, it follows that to solve Simon's subgroup 
problem it suffices to find a generating set for i/J-. In 1 18 1, 
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Simon proved a special case of Theorem |^ below, which 
gives an efficient quantum algorithm for finding a random 
element of with respect to the uniform probability dis- 
tribution. 

Theorem 3 Let n > \ be an integer and p : G = ^ i? 
be a function that fulfills Simon 's promise for some sub- 
group Hq ^ G. Assume that a quantum algorithm to com- 
pute p is given, together with the value of n. 

Then there exists a quantum algorithm capable of finding 
a random element of the orthogonal subgroup H^. More- 
over, the algorithm runs in time linear in n and in the time 
required to compute p. 

We refer to this algorithm as Simon 's subroutine and dis- 
cuss it further in the next section. By repeating the sub- 
routine until one has a generating set for and then ap- 
plying Propositions |l] and || above, one has solved Simon's 
subgroup problem. Before this yields an algorithm, how- 
ever, we need a procedure to determine when to stop sam- 
pling. Moreover, a bound on the expected number of sam- 
ples needed to build a generating set for is required in 
order to determine the running time of the algorithm. 

Consider first the former question of how to determine 
if a sampled subset Y generates H^. If Hq is of known 
order 2 (as in Simon's original paper) then we stop sam- 
pling when Y generates a subgroup of order |-ff;f | = [G : 
Hq] ~ 2"^^. If the order of Hq is unknown then first ob- 
serve that since Y C ijj- then Hq C (F)^ where equal- 
ity holds if and only if Y generates H^ (and not only a 
proper subgroup). In other words, Y generates Hj^ if and 
only if p is constant on (Y)-^. This last condition is eas- 
ily checked by first applying Propositions ^ and ^ to find 
a linearly independent set X that generates the orthogonal 
subgroup (Y)-^, and then evaluating p on X. It is thus easy 
to decide when we can stop sampling. 

Consider now the latter question of how many times one 
must repeat Simon's subroutine in order to obtain a gener- 
ating set for _ff J- . More generally, given any finite group H, 
what is the expected number of elements one must pick 
from H in order to have a generating set for H when the 
elements are picked mutually independently with respect to 
the uniform probability distribution on HI There is a sim- 
ple (easy to improve) upper bound on this value which can 
be found as follows. Let K ^ H he any proper subgroup. 
Then the probability that a randomly picked element in H 
is not in K is at least 1/2, so after an expected number of 
at most 2 samples, we have picked an element z G H \ K, 
and hence K is proper in {z,K). Since any sequence of 
proper subgroups in a finite group H can have length at 
most log2 \H\, it follows that after an expected number of 
at most 2 log2 \H\ samples we have found a generating set 
foriJ. 



By the above remarks, we can summarize the main steps 
in Simon's Z QT'-algorithm for solving his subgroup prob- 
lem as follows. Assume we have a quantum polynomial- 
time algorithm to compute p. By Theorem |], we can in 
polynomial time sample random elements of the orthog- 
onal subgroup Hj^-. We have efficient routines for test- 
ing when to stop sampling and for finding Hq from H^. 
Finally, the expected number of samples needed is logarith- 
mically bounded in the order of the group, giving an overall 
polynomial-time expected running time to find a generating 
set for Hq . 

In our approach, we also solve Simon's subgroup prob- 
lem by first finding a generating set for H^, and we also 
use the method of finding repeatedly larger and larger sub- 
groups (Y) of ijj-. However, instead of finding an element 
in H^ that is not already in (Y) with some bounded proba- 
bility, we have discovered a method that guarantees that the 
sampled element is taken from the subset ijj- \ (Y). In ad- 
dition, our method for finding such an element needs only 
time polynomial in n and in the time required to compute p. 

Theorem 4 Let n > 1 be an integer and p : G = TJ^ ^ R 
be a function that fulfills Simon 's promise for some sub- 
group Hq ^ G. Assume that a quantum algorithm that 
computes p without making any measurements is given, to- 
gether with the value of n and a linearly independent sub- 
set Y of the orthogonal subgroup Hq. 

Then there exists a quantum algorithm that returns an 
element of H^ \ (Y) provided Y does not generate H^, 
and otherwise it returns the zero element. Moreover, the 
algorithm runs in time polynomial in n and in the time 
required to compute p. 



We postpone the proof of this theorem till Section 4.3 
Our new QT'-algorithm for solving Simon's subgroup 
problem follows easily from Theorem |[ 

Theorem 5 (QT'-algorithm for Simon's problem) 

Let n > 1 be an integer and p : G — 1,2 ^ R be a function 
that fulfills Simon 's promise for some subgroup Hq ^ G. 
Then given a quantum polynomial-time (in n) algorithm 
to compute p without making measurements, there exists a 
QV-algorithm to find a generating set for Hq. 

Proof The algorithm consists of two stages. In the first 
stage, we find a generating set for H^ as follows. We ini- 
tialize a counter i — Q and set F^*) = to reflect the fact 
that we initially do not know any nontrivial elements of the 
orthogonal subgroup Hq . 

We then compute the following process. We apply The- 
orem ^ giving an element g H^. If the outcome 
2;('+i) is the zero element then we terminate the first stage. 
Otherwise, we set = u and increment 
the counter i by 1 . 
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We repeat this process until we finally measure the zero 
element and then we terminate the first stage. Note that each 
of the subsets F^^' (0 < j < i) is linearly independent by 
Theorem Q Moreover, by the same theorem, since the final 
measured element z^'"*"^' is the zero element we know that 
y(*) generates the orthogonal subgroup. 

In the second stage, we apply Proposition ^ on the 
set F*^*) to find a generating set for Hq- This completes 
our proof of the existence and correctness of the algorithm. 

Any linearly independent set in G = can have cardi- 
nality at most n and hence the algorithm applies Theorem Q 
at most n times, each taking time polynomial in n. Since 
the final application of Proposition || also runs in polyno- 
mial time, the claimed running time follows. □ 

3 Simon's quantum algorithm 

We assume in this extended abstract that the reader 
is familiar with the basic notions of quantum computing 
[0^, [l^- We denote a register holding m qubits, all in 
the zero state, by |0™). When its dimension is of no im- 
portance, we sometimes just write |0). For any nonempty 
subset X C G, let \X) denote the equally-weighted su- 
perposition --^^J2xex 1^)- particular, if g ® Hq is 
a coset of Hq, then \g Hq) denotes the superposition 



S/iGHo \9 ® f^)- For any nonempty subset X C G 
and any element g (z G, let \<j>gX) denote the superposition 



/\x\ ^xe^ 

Define the one-bit Walsh-Hadamard transform 



W2 = ^ E (-irK)oi- 

V i,j=0 

With respect to the ordered basis (|0),|1)), this reads 
W2 = ^ ( 1 Let W^^ denote the Walsh-Hadamard 
transform applied on each qubit of a system of n qubits. 
The result of applying W2 to \g), where g e G, is the 
superposition \(j)gG). Moreover, for any subgroup K ^ G 
and any elements g,h G G, 

yV^lMg © K)) - i-ir''\c^g{h ® K^)). (3) 

Thus, by applying the Walsh-Hadamard transform, the sub- 
group is mapped to its orthogonal subgroup, and the phases 
translate to a coset and vice versa. 

A classical function / is evaluated reversibly by the oper- 
ation U/ which maps \x) \y) to \x) \y ® f{x)) Note that 
a second application of U/ wiU restore the second register 
to its original value since \x) \y © /(x) © f{x)) = \x) \y). 

Let To be a transversal of Hq in G, that is, a subset 
To C G that consists of exactly one representative from 
each coset of Hq. Simon's subroutine for finding a random 
element of H^, working on the initial state |0") |0), can be 
described as follows. 



Simon's subroutine 

1 . Apply the inverse of transform to the first regis- 
ter [| producing an equally-weighted superposition of 
all elements in the group G, 

iEi5)io)- 

gee 

2. Apply Up, producing a superposition of all cosets 
ofi/o, 

i E \9M9)) - ^ E I* ® HQ)\pit)). 



gee 



teTo 



3. Apply W2 to the first register, producing a superpo- 
sition over the orthogonal subgroup iJ(f , 



1 



i^) = ^Ei'^*^o^)i'°w)- 



(4) 



Suppose we measure the first register in the resulting 
superposition \'^). Let z be the outcome. It is imme- 
diate that z is a random element of the orthogonal sub- 
group Hfj-, which proves Theorem ^ above and implies 
Simon's Z QT'-algorithm for solving his subgroup prob- 
lem. 

Now, consider the crucial cause in Simon's algorithm 
why it is not a QP-algorithm. Suppose we have already 
found an independent set YcHj^ that generates only a 
proper subgroup of i/J^. Then, what we would like is to 
measure an element z E H such that Y U {z} is also lin- 
early independent. However, Simon's algorithm promises 
only that z preserves independence with some probability. 
Our approach to finding z so that y U {z} is certain to be 
linearly independent consists in solutions to the following 
two subproblems. Suppose we have written i/(f as the inter- 
nal direct sum of two subgroups, ijj- ^ K Q) {¥) for some 
nontrivial X ^ ijj-. Then our solution, informally, consists 
of two parts. 

1. We give a method for transforming l-ff^j'") into \K). 

2. We give a method for transforming \K) into \X) 
where X C [K \ {0}) is a nonempty subset con- 
sisting only of some of the nonzero elements of K. 

In the next section, we present our solutions (Lemma 
and Lemma |^, respectively) to these two problems. From 
these, we then prove Theorem Q stated above. Our new 
QT'-algorithm for Simon's subgroup problem (Theorem ||) 
is an easy corollary to that theorem. 

' Of course, we could apply rather than its inverse since this trans- 
formation is self-inverse. Nevertheless, it is more natural to think of the 
operation in terms of the inverse of , especially if we wish to extend 
the notion to non-AbeUan groups. 
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4 Our new QP-algorithm 

This section consists of three subsections. The first two 
contain our solutions to the two above-mentioned subprob- 
lems, while we combine them in the last subsection to prove 
Theorem Q 

4.1 Shrinking a subgroup 

If we apply Simon's subroutine on the initial zero state 
|0")|0), our quantum system is afterwards in superposi- 
tion \^!) defined in Equation ^ In particular, for every 
element t in a transversal for Hq, the first register holds 
the superposition |0f_ff(j-). If we measure this register then 
we will measure a random element of Now, suppose 
we have earlier measured a nonzero element y S H^. Then 
we would like not to measure y once again, but rather some 
other element. 

The following lemma provides us with a routine that en- 
sures we will not measure y again. Since y = {yi, . . . , yn) 
is nonzero, it has some nonzero entry, say yj = 1. 
The idea is to use the jth entry in the first regis- 
ter to change subgroup into the smaller subgroup 
K = {{hi, . . .,hn) € Hq I hj = 0} of all elements in Hq 
with in that entry. It follows then that we shall not obtain y 
again if we measure the first register in this new superposi- 
tion. 

Lemma 6 Let H G be a nontrivial subgroup and let 
y = [yi, . . . , yn) (z H be a known nonzero element. Let j 
be such that yj = 1 and let K denote the subgroup 
{(hi,...,hn)(.H\h,^Q}. 

Then there exists a quantum routine that, for all g G, 
given \4'gH) |0) returns \4>gK) \g ■ y). Moreover, the routine 
runs in time linear in n and it uses no measurements. 

Proof The routine consists of three unitary operations. Ini- 
tially, we apply the controlled NOT operation where the jth 
qubit in the first register is the control bit and the second 
register holds the target bit. Applying this operation on the 
input \4>gH) |0) produces 

v|^l heH 

where h = {hi, . . . , /i„) £ H,Oy ~ and ly ~ y. Then, if 
the second register holds a 1 , we apply the operator defined 
by |x) I— !■ |a; © y) to the first register. This produces 



which also can be written as 

i^s^)(7lE(~i)''^^'^N))- 

Finally, we apply W2 to the second register, giving the su- 
perposition in the lemma. The routine uses no measure- 
ments and its running time is clearly linear in n. □ 

The above lemma can easily be generalized to the case 
in which we have already measured not merely one nonzero 
element of H{^, but any linearly independent subset of H^. 
The solution is then to apply the above lemma repeatedly 
for each element in that subset. 

Lemma 7 Let H ^ G be a nontrivial subgroup and 
{y^^^ . . . , y'-™-'} C _ff a known linearly independent set 
in H. Then there exist a subgroup K ^H with 
H = K (B {y'^^\ . . . ,y'^^^^) and a quantum routine that, 
for all g G G, returns \(l>gK)\g ■ . . . ,g ■ y'-™-') given 
\4>gH) 10™). Moreover, the routine runs in time linear in nm 
and it uses no measurements. 

4.2 Removing from a subgroup 

Consider first how much we have gained by using the 
result from the previous subsection. Suppose we first apply 
Simon's subroutine and then the routine in Lemma ^ Call 
this combined routine A' . Given a linearly independent set 
{y'^^\ ■ ■ ■ , y^™'} C ijj-, routine A' produces, on the input 
|0") |0, 0™), the superposition 

Ivf') = ^ E \^tK)\p{t),t- yd), ...,t- y(")). 

^l^oltgTo (5) 

Here K is given as in Lemma ^. Thus, for every t in a 
transversal Tq for Hq, we hold the superposition {(ptK) in 
the first register. By Lemma 0, if we measure the first reg- 
ister, we cannot obtain a previously known element of H^ . 
Neither can we obtain a nonzero element that is a linear 
combination of known elements. Nevertheless, it remains 
possible that we obtain the zero element. 

In this subsection, we show how to avoid measuring the 
zero element. This solves the second subproblem men- 
tioned at the end of Section ||. Our solution does not build 
on a group-theoretical view as in the previous subsection, 
but instead on a general view of A' as a probabilistic quan- 
tum algorithm that succeeds with some bounded probabil- 
ity. 

We say that a state in the superposition is good if it 
contains a nonzero element in the first register. States that 
are not good are said to be bad. The success probability 
of A' is the probability that we measure a good state by 
measuring the first register of the system. 
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If K = {0} is the trivial subgroup then the success prob- 
abihty of A' is clearly zero. Otherwise, A' succeeds with 
probability 1 — 1/fc where k — |A'| is the order of K. 
Thus, we can initially distinguish between these two cases 
with high probability, but not with certainty. Our result in 
this subsection is a method to encapsulate A' in a larger 
quantum algorithm that succeeds with certainty provided 
K 7^ {0} (see Theorem Qfor an example). To obtain this, 
consider first the more general problem of improving the 
success probability of a probabilistic quantum algorithm, 
formulated as follows. 

Suppose we are given a quantum algorithm A that on 
input |0) returns some superposition \'^) — J^iei 
for some finite index set / C Z. Suppose also that / can 
be written as the disjunct sum of two sets A and B where 
A corresponds to the "good" solutions and B to the "bad" 
solutions, and suppose we are given a quantum algorithm to 
compute the characteristic function x = XA ■ I {0, 1} 
of A. Let \ A) = XliGA WlV'i) denote the superposition of 
good solutions, and |_B) = X^ies th^ superposition 

of bad solutions. Write j^-) = \A) + \B). Let a = {A\A) 
denote the probability that we measure a good solution, and 
similai-ly let b = {B\B). Note that {A\B) = and hence 
a + b=l. 

Using a generalization of the technique in Grover's 
algorithm [p3|, we encapsulate ^ in a larger quantum al- 
gorithm Q such that the probability that Q returns a good 
solution is significantly better compared to the probability 
that A returns a good solution. In [^, it is shown that if 
A = W2 is the Walsh-Hadamard transform and the proba- 
bility of success of A is exactly one quarter (a = 1/4) then 
Q can be constructed such that it succeeds with certainty. 

For our purpose, we require a similar technique which 
applies in the case that A is any quantum algorithm that 
uses no measurements and has success probability exactly 
one half (a — 1/2). To obtain this result, we use complex 
phases, whereas in Grover's original algorithm only the real 
phases ±1 are needed [|l5[. Let i — -^/^ denote the square 
root of —1. (Do not confuse imaginary i with integer i.) 
The formal setting and the lemma are as follows. 

Lemma 8 Let Abe a quantum algorithm that uses no mea- 
surements and that given |0) returns \^) — X^ie/ WlV'i) 
for some finite index set / C Z. Let x : / —> {0, 1} be any 
Boolean function. Define 



A = {i(^I\x{i) = l} 
a = {A\A) 



B = {iel\x{i) = Q} 

b=(B\B). 



Then there exists a quantum algorithm Q that on input 
|0) returns k\A) + l\B) where k = 2i{l — a) — 1 and 
I = t{l — 2a). In particular, if a = ^ then the result is 
(i — 1)|j4). If a — then \A) has norm zero and hence 



the result is i\B). Moreover, Q runs in time linear in the 
number of qubits and in the times required to compute A 
and , and it uses no measurements. 

Proof First note that B = / \ yl and that \^) = \A) + \B) 
can be written as a sum of "good" and "bad" solutions with 
inner product zero, {A\B) — 0. Note also that the prob- 
abilities to measure a "good" or "bad" solution sum to 1: 
a + b=\. For every k,l eC with |fcpa + \l\'^b ^ 1, de- 
fine the normalized superposition \'^{k, I)) = k\A) + l\B). 
Here \x\ denotes the norm of x £ C Note that 
|*(l,l)> = |vl/)=^|0>. 

Now, instead of measuring |4'(1,1)) = \'^) immedi- 
ately, we add one Grover iteration before the measure- 
ment. This Grover iteration is not the one from Grover's 
paper [ p^ but a generalized version defined as follows. Let 
the phase-change operator Sa be defined by 



SA\i)\tpi) 



I \i)\^pi) ifieA 



In a similar manner, let Sjoj be the operator that changes 
the phase by i if and only if the state is the zero state. 
Define the Grover iteration as 

G = AS^Qj A ^ Sa- 

Straightforward calculations show that applying G on a 
superposition of the form |^'(fc,/)) has the same kind of 
effect as the one in [p^. In particular, we have 

G|1'(l,l)> = |1'(2i(l - a) - l,i(l - 2a))). 

Let Q be the quantum algorithm in which we first apply A 
and then G. Then applying Q on input |0) produces 



Q|0)=G|*(1,1)) 
= (2i(l - a) - 



l)|A)+*(l-2a)|i3), 



and the first part of the lemma follows. 

The phase-change operator S{o} can be applied in time 
linear in the number of qubits, while Sa can be applied by 
computing twice and doing a constant amount of addi- 
tional work Hence, Q runs in time linear in the number 
of qubits and in the times required to compute A and U^. □ 

4.3 Composing our new QT' algorithm 

By Lemma |^, we can take a quantum algorithm A and 
construct a new quantum algorithm Q such that if A suc- 
ceeds with probabiUty zero then so does Q, and if A has 
success probability 1/2 then Q succeeds with certainty. 
Consider the algorithm A' defined in the beginning of Sub- 



section 4.2 . It succeeds with probability zero if K = {0} 
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is trivial, and otherwise with probability 1 — 1/k where 
k = \K\is the order of K. 

At first glance, it seems that we cannot apply Lemma |^ 
since A' succeeds with too large a probability. Fortunately, 
we can get around this problem by redefining what we mean 
by a state in the superposition j'l'') given in (|]) being good. 
Fix an i with 1 < i < n. Redefine a state to be good if the 
ith entry in the first register is 1 . What is now the success 
probability p, of A'"! If all elements in K have in the ith 
entry then pi — 0. Otherwise, exactly half the elements 
in K have in the ith entry and exactly half of them have 1, 
and therefore Pi = 1/2. The success probability of A' is 
thus either zero or one half. 

Consider the set of probabilities {pi, . . . ,p„}. It con- 
tains one value for each entry in the first register. If K = 
{0} is trivial thenpi — for all 1 < « < n. Otherwise, if K 
is nontrivial then at least for one i with 1 < i < n we have 
Pi = 1/2. This suggests that if we apply Lemma ^ once for 
each of the n different values of i in order to improve the 
success probability of A' from pi to 2pi, then at least one 
of the measured elements is a nonzero element of K if and 
only if K is nontrivial. We prove now that this is indeed the 
case by giving our proof of Theorem ^ stated in Section |[ 

Proof of Theorem | Write ^ K ® {Y) as the direct 
sum of a subgroup K and the subgroup generated by the 
known elements Y C . 

Let P — {i : 1 < i < n}. For every i E P,we construct 
a quantum algorithm Qi that on input |0") |0, 0™) returns an 
element z^*-' of K after a measurement. We then construct a 
larger algorithm which consists of all the n smaller Qi and 
we show that at least one of the measured elements z*^*^ is 
nonzero if and only if K is nontrivial. 

Fix an i £ P. Define the function Xi : G — > {0, 1} by 
Xiig) = 9i where 5 = (51, ... , gn). Thus, Xiig) is 1 if and 
only if the ith entry of g is 1 . 

The output of the computation y4,'|0") |0, 0™) is the 
superposition j^*') given in (Q). If we measure j^"'), let 
Pi denote the probability that we obtain a state \g)\x) with 
the ith entry of g equal to I, gi — 1. If all elements in K 
hold a in that entry then pi is zero. Otherwise, half the 
elements in K hold a 1 in that entry and thus, independently 
of the content of the second register of |^'), we have that 

P^ = 1/2. 

Suppose we apply Lemma || on the function Xi and the 
algorithm A' defined above. Let Qi denote the resulting 
quantum algorithm. Consider the content of the first reg- 
ister in the final superposition. By Lemma ^ that register 
contains only elements from K ^ H^, as did origi- 
nally. Moreover, each of these elements holds a 1 in the ith 
entry if and only if pi = 1/2. 

Suppose we measure the first register. Let z^*) e K be 
the outcome. Ifpi = 1/2 then z'*) is nonzero with certainty. 



Otherwise, that is if pi = 0, then z*^'^ may or may not be 
nonzero. 

Consider that we run quantum algorithm Qi sequentially 
for each i £ P, and follow each run by a measurement of 
the first register. Suppose K is nontrivial. Let g £ K he 
any nonzero element and let ip G P he so that gi„ = 1 
where g = {gi, . . . , gn). Then pi^ — 1/2 and therefore, 
with certainty, the measured element z^*") E K is nonzero. 
Now, suppose K is trivial. Then, for all i G P, we have that 
z*^*^ is the zero element. This completes the first part of the 
theorem. 

Consider the overall running time of this composed 
quantum algorithm. Each of the transforms U^^ can clearly 
be implemented in constant time and thus, by Lemma |[ 
Qi runs in time linear in n and in the time required to com- 
pute A. Since the composed algorithm consists of running 
each of the n algorithms Qi one after the other, it runs in 
time polynomial in n and in the time required to compute A 
as well. □ 

Having proved Theorem ^ we have completed the 
description and proof of our new QT'-algorithm for solv- 
ing Simon's subgroup problem. 

We end this section with a supplementary remark on 
the total number of times we need to compute function p. 
By the proof of Theorem |[ we apply Theorem ^ at most n 
times. In each of these applications, we run each of the n 
quantum algorithms Qi (i e P) defined above. Since each 
Qi computes the function p a constant number of times this 
gives an upper bound of 0{n^) evaluations of p. 

We will show that just 0{n) evaluations of p suffices. 
First, restate the above counting argument as follows. For 
each i E P, our QP-algorithm applies Qi at most n times. 
Since P has cardinality n the number of evaluations of p 
is 0{n^). We now show that it is suffices to run each Qi at 
most once. 

Consider the first time we run Qi for i G P. There are 
two cases depending on the outcome z^^\ If z^*^ is the zero 
element then we know that all elements in the subgroup K 
(defined in the beginning of the proof of Theorem ^ hold 
a in the ith entry. Moreover, this will also be the case in 
successive iterations when K has shrunk further. Therefore, 
it would be pointless to run Qi again. 

On the other hand, if z'*^ is nonzero then it fulfills the 
requirements in Theorem ^ of being a nonzero element 
preserving independence. Thus, we do not need to run any 
of the remaining Qi algorithms in that application of The- 
orem^. Moreover, since the ith entry in z''^ is a 1, we can 
construct our new subgroup K in the next applications of 
Theorem ^ such that all elements in the new subgroup K 
hold a in the ith entry. This is done by letting that en- 
try be the control bit in Lemma ^ that is, by choosing 
j = i. Thus, also in this case, we do not need to run Qi 
again. 
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5 Decision problems 

Until now, we have dealt with a version of Simon's prob- 
lem that consists of finding a generating set for some sub- 
group Hq ^ G = Z2 . In Simon's original setting, this sub- 
group is of order 2 and the problem reduces to finding its 
unique nonzero element, called s at the beginning of Sec- 
tion ^ Recall that we say of such a function that it ful- 
fills Simon's promise with respect to s. A natural ques- 
tion is whether there exists a decision problem in QP that 
would require exponential time to decide on any classical 
bounded-error probabilistic computer In this section, we 
give a positive answer in an appropriate oracle setting. 

This can be achieved in several ways. The simplest is to 
note that our algorithm can distinguish with certainty, after 
guaranteed worst-case polynomial time, between a function 
p : {0, 1}" ^ {0, 1}" that is a bijection and one that fulfills 
Simon's promise: Just apply our general algorithm and see 
if it turns out zero or one generator for Hq. (Recall that Si- 
mon's original algorithm could distinguish these two cases 
with certainty after expected polynomial time, or alterna- 
tively it could distinguish them with bounded error proba- 
bility after guaranteed worst-case polynomial time.) In his 
paper |18|, Simon proves the existence of an oracle O and 
a decision problem L such that (1) no classical probabilis- 
tic oracle machine that queries O fewer than 2"/"* times on 
input 1" can decide L with bounded error probability, and 
(2) deciding L given O reduces efficiently and determin- 
istically to the problem of distinguishing between the two 
types of functions mentioned above. It follows from our al- 
gorithm that L can be decided with certainty in guaranteed 
worst-case polynomial time on a quantum computer, given 
O as oracle: L e QV'^ . 

Another approach to transforming Simon's problem into 
a decision problem, which we find more elegant, is to con- 
sider an arbitrary function 7 : {0, 1}+ {0, 1}, which is 
balanced in the sense that there are exactly 2"^^ strings 
X e {0, 1}" such that 7(2;) = b for each b G {0, 1} and 
n > 1. For example, 7(2;) could be simply the most sig- 
nificant or the least significant bit of x, or it could be 
the exclusive-or of all the bits in x. Consider now an 
integer n and a function p : {0, 1}" {0, chosen 
randomly according to the uniform distribution among all 
functions that fulfill Simon's promise with respect to some 
nonzero s £ {0,1}". We prove below (Theorem ^ that no 
subexponential-time classical probabilistic algorithm can 
guess 7(5) essentially better than at random, except with 
exponentially small probability, when p is provided as an 
oracle. The probabilities are taken among all choices for p, 
as well as the probabilistic choices made by the algorithm, 
but not over the possible choice for 7: any fixed balanced 7 
will do. It follows (Corollary |l^ that there is an oracle that 
simultaneously defeats every classical algorithm. 



Theorem 9 Fix an arbitrary balanced function 7 and an 
integer 71 > 4. Consider an arbitrary classical proba- 
bilistic algorithm that has access to a function oracle 
p : {0, 1}" {0, 1}"^^ chosen at random according to the 
uniform distribution among all functions that fulfill Simon's 
promise with respect to some s. Assume the algorithm 
queries its oracle no more than 2"/'^ times. Then there exists 
an event £ such that ( 1 ) Proh[£] < 2""/'^, and (2) If £ does 
not occur then the probability that the algorithm correctly 
returns 7(5) is less than i + 2^"/"^. The probabilities are 
taken over all possible choices of function p and the prob- 
abilistic choices made by the algorithm. It follows that the 
algorithm cannot guess the value ofj{s) with a probability 
better than 5 + 2 x 2""/^. 

Proof Assume that the algorithm has queried its oracle on 
inputs xi, X2,...,Xk for x, e {0, 1}", l<i<k< 2"/^. 
Without loss of generality, assume that all the queries are 
distinct. Let yi, 1/2, ■ ■ ■ , Vk be the answers obtained from 
the oracle, i.e. yi = p{xi) for each i. Define the event £ as 
occurring if there exist i and j, 1 < i < j < k, such that 
Ui = Uj. Clearly, the algorithm has discovered the secret s 
when £ occurs since in that case s = Xi (B Xj. This allows 
the algorithm to determine 7(5) with certainty. We have to 
prove that £ is very unlikely and that, unless £ occurs, the 
algorithm has so little information that it cannot guess 7(3) 
significantly better than at random. 

Let X — {xi,X2, ■ ■ ■ ,Xk} be the set of queries to 
the oracle and let Y = {yi,y2, ■ ■ ■ ,yk} be the corre- 
sponding answers. Let W = {xi (B Xj \1 < i < j < k}, 
S = {0, 1}" \{WU {0"}) and let m < be the cardinal- 
ity of W. Note that £ occurs if and only if s G T4^ since 
Hi — Vj if ™d only if Xi ® Xj = s. If £ does not occur, 
we say that any s G 5* is compatible with the available data 
because it is not ruled out as a possible value for the actual 
unknown s. Similarly, given any compatible s, we say that 
a function p : {0, 1}" {0, is compatible with the 
available data (and with s = s) if p{xi) = yi for all i < k, 
and if p{x) = p{x') if and only if x (B x' ^ s for all distinct 
X and x' in {0, 1}". 

Assume for the moment that £ has not occurred. Now 
we prove that there are exactly (2" — m — 1)((2"~^ ~ k)l) 
functions that are compatible with the available data. 
For each compatible s, exactly (2"^^ — A:)! of those func- 
tions are also compatible with ,s = s. It follows that all 
compatible values for s are equally likely to be correct given 
the available data, and therefore the only information avail- 
able about s is that it belongs to S. For this, consider an 
arbitrary compatible s. Define X' = {x (B s\x G X}. 
It follows from the compatibility of s that X O X' — 0. 
Let Z = {0, 1}" \ (X U X'). Note that x e Z if and only 
if a; ® s G ^. Partition Z in an arbitrary way into Zi U Z2 
so that X E Zi if and only if x ® s E Z2. The cardinali- 
ties of Zi and Z2 are (2" - 2fc)/2 = 2"-^ - k. Now let 
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Y' = {0, \ Y, also a set of cai-dinality 2""! - k. 

To each bijection : Zi ^ Y' there corresponds a func- 
tion p compatible with the available data and s — s de- 
fined by 



p{x) 



Tji if X = Xi for some 1 < i <k 

Hi if X = Xi (S) s for some 1 < i < k 

{{x e s) if .T e Z2 . 



The conclusion about the number of compatible functions 
follows from the facts that there are (2"~^ — fc)! such bijec- 
tions, each possible function compatible with the available 
data and s = s is counted exactly once by this process, and 
there are 2" — m — 1 compatible choices for s, each yield- 
ing a disjoint set of functions compatible with the available 
data. 

Still considering the case that £ has not occurred, 
M A^{zeS\ 7(z) = 1} and B = {z g 5 I 7(2) = 0}. 
Because we have just seen that each elements of S is equally 
likely to be the correct value for s, the algorithm's best strat- 
egy is to return 1 if |^| > \B\ and otherwise. In the best 
case (for the algorithm), there are 2"^^ strings in A and the 
remaining 2"^^ — 1 — m strings are in B, in which case the 
guess is correct with probability 



2n— 1 2^^ "'^ 

< ^ < 



< 



1 



TO 



2" - fc2 - 2" - 22"/3 2 



2— n/3 



provided n> A. 

It remains to prove that the probability that event £ oc- 
curs is exponentially small. For this, note that all nonzero 
values for s are equally likely a priori and event £ occurs if 
and only if s e W . It follows that 

Prob[f ] = m/(2" - 1) < fcV2" < 2-"/^^ 

where m is the cardinality of W and k < 2"/'^ is the number 
of oracle queries. 

In conclusion, the probability that the algorithm guesses 
7(5) correctly is less than 

Prob[5] + (1 - Prob[£:]) (i + 2-"/3) 

< 2-"/3 + ( 1 + 2-"/'"') = i + 2 X 2-"/3 . 

□ 

The theorem we have just proven says that no classi- 
cal probabilistic algorithm can guess 7(5) much better than 
at random without spending exponential time on a random 
function that fulfills Simon's promise, provided that func- 
tion is supplied as a black box chosen after the algorithm 
has been fixed. Can we find a single function that simultane- 
ously defeats all classical probabilistic algorithms? The an- 
swer is obviously negative for any fixed finite function. 



Nevertheless, the following corollary shows that it is pos- 
sible to encode an infinite number of such functions into a 
single oracle so that every classical probabilistic algorithm 
is defeated infinitely many times. This exhibits an exponen- 
tial gap between the power of exact quantum computation 
and that of classical bounded-error probabilistic computa- 
tion, even for decision problems. 

Corollary 10 There exists an oracle O relative to which 
there is a decision problem L G QV^ so that, for any 
classical probabilistic algorithm whose running time is 
bounded by 2"/"^ on all inputs of size n, there are infinitely 
many inputs about which the algorithm decides membership 
in L with probability no better than i + 2 x 2~"/^. 

Proof Fix some polynomial-time computable balanced 
function 7 once and for all. For any fixed clas- 
sical probabilistic algorithm, integer n, and function 
p : {0, 1}" {0, 1}""^ that fulfills Simon's promise with 
respect to some s, we say that the algorithm is defeated 
by p if it cannot guess 7(5) with probability better than 
i + 2 X 2""/^ after taking less than 2"/'"^ steps. It fol- 
lows directly from Theorem |^ that every classical proba- 
bilistic algorithm is defeated by at least one p for each value 
of n > 4. This remains true even if the algorithm is supplied 
with another arbitrary fixed oracle, in addition to the oracle 
for p. 

Define function e by e(l) = 2 and e{i + 1) = 2<''> 
for i > 1. Let 77 be an arbitrary function that maps inte- 
gers to classical probabilistic algorithms such that every al- 
gorithm appears infinitely many times in the image of rj. 
For any integer n and functions p : {0,1}" — > {0,1}"^^ 
and a : {0, 1}+ ^ {0, 1}*, let [p, a] : {0, 1}+ -> {0, 1}* 
denote the function that sends x to p{x) for all x e {0, 1}" 
and to (t{x) otherwise. We build the required function or- 
acle O : {0, 1}+ {0, 1}* by stages: 0{x) = 0,{x) for 
all X e {0, 1}" such that n < e{i + 1) and i > 1. Ini- 
tially, Oi{x) is the string of size n — 1 obtained by re- 
moving the most significant bit of x for each x € {0, 1}" 
and each n > 1. For each i > 2, let n ~ e{i) and 
define Oi given O^-i as follows: choose a function 
Pi : {0, 1}" {0, that fulfills Simon's promise with 

respect to some Si in a way that defeats algorithm r/(i) given 
[pi, Oi-i] as oracle; let Oi — [pi, Oi-i]. Finally define 



> 2and7(sO = 1}. 



Note that for each positive integer n, the restriction of 
O to {0, 1}" is a function that fulfills Simon's promise, 
and therefore L e QV^ by the algorithm given in this pa- 
per On the other hand, consider an arbitrary classical 
probabilistic algorithm A and let i be one of the infinitely 
many integers such that 77(1) = A. We know by construc- 
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tion that pi defeats A given oracle Oi. This means that A 
cannot guess 7(3^) significantly better than at random af- 
ter taking less than exponentially many steps on input l'^^*). 
But A would require exponential time even to formulate a 
question of size e{i + 1) = 2'^'*' or bigger for its oracle. 
Since 0{x) = Oi{x) for all x of size shorter than e{i + 1), 
it follows that A behaves in the same way on input 1*^^*^ 
whether it is given O or Oi as oracle, unless it takes expo- 
nential time. Therefore pi defeats A given oracle O as well. 
This happens infinitely often for each classical probabilistic 
algorithm, which proves the desired result. □ 

6 Other Abelian groups 

So far, we have restricted our attention to the Abelian 
group G = Z2 . In this section, we discuss how these results 
generaUze to other Abelian groups. We start by considering 
the natural extension of Simon's problem and subroutine to 
an arbitrary finite additive Abelian group. Our presenta- 
tion is kept in group-theoretical terms and our main tools 
are three quantum operators defined on the group. We also 
discuss how our own algorithm generalizes. 

For every m> 1, let Z,„ denote the additive cyclic group 
of order m. For any given n-tuple of positive integers 
(mi, . . . , m„), let G — {G, +) denote the finite additive 
Abelian group Z.^^ © • • • ® Z„j^. We define the Abelian 
subgroup problem as follows: Given group G and a func- 
tion p defined on G and promised to be constant and distinct 
on each coset of some unknown subgroup Hq ^ G, find a 
generating set for Hq. 

Our first task is to generalize the concept of orthogo- 
nality given by Equations |l] and ^ For every m> 1, let 
ojm = exp(27ri/m) denote the mth principal root of unity. 
Let C* denote the multiplicative group of the nonzero com- 
plex numbers. Define a bilinear map /i:GxG— >C*by 

n 

= (6) 

i=l 

where g = {gi, . . . , gn) and h — {hi, . . . , /i„). We say that 
an element g e G is orthogonal to a subset X C G if, 
for all X £ X, we have that p{g,x) is the identity of the 
group C*, that is, if p{g, x) = 1. Note the correspondence 
to the bilinear map in Section ^ There, the image was 
an additive group with identity 0, while here, the image is 
a multiplicative group with identity 1. For any subgroup 
< G, let 

= {geG\ p{g,h)=^l for he H} (7) 

denote the set of all elements in G orthogonal to H. Clearly, 
is a subgroup and we refer to it as the orthogonal sub- 
group of H. 



For any subgroups K ^ H ^ G, let [H : K] denote the 
index of K in H. As in the simple case G = Z2 , we have 
the duahty relations 

\H^\ = [G:H] 



for all subgroups H ^ G. 

We now define three fundamental quantum operators for 
the group G. Together, they extend the ideas and the no- 
tation used in Section ^ They are the quantum Fourier 
transform Fg, the translation operator Tt {t G G), and the 
phase-change operator </)/, (h G G), defined as follows. 

= ^ E I'ia^hMihl 

^\^\ gJieG 

geG 

<t>h = ^p{h,g)\g){g\ 
geG 

One may readily check that these three G-operators are 
unitary. Note that when G = Z2 then the transform Fa 
is just the Walsh-Hadamard transform W2 used in Sec- 
tion H Unsurprisingly, the Fourier transform maps a sub- 
group H ^ G to its orthogonal subgroup H-^, 

Fg\H) = \H^). 

Moreover, the G-operators satisfy the following commuta- 
tive laws which we state without proof. 

Theorem 11 (Commutative laws of the G-operators) 

For every h,t e G we have 

p{h,t)Tt(l)h = (l)hTt 

Fg Tt = 0t Fg . 

With this setup, we can give a natural extension of 
Simon's subroutine, denoted Ug, for the general Abelian 
subgroup problem. 

Ug - (Fg ® I) o Up o (F^^ ® I) (8) 

Here, I denotes the identity operator, and the notation 
Ui (g) U2 means applying the unitary operator Ui on the 
first register and U2 on the second. 

Consider that we perform the experiment 

z = A1ioUg|0)|0) (9) 

where A4 1 denotes a measurement of the first register with 
outcome z and where the first register initially holds the 
identity of the group G. 
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If G — then the outcome z G G is a random element 
of the orthogonal subgroup Hq_ ^ G by the discussion of 
Simon's subroutine in Section Bl With the help of the com- 
mutative laws in Theorem we now give a short proof 
that this holds for every finite additive Abelian group G. 

The experiment given in Equations ^ and ^ consists of 
four operations. As the first, we apply F^^ igi I on the initial 
zero state |0) |0), producing an equally-weighted superposi- 
tion of all elements in the group G, 

vl^l gee 

Then, as the second operation, applying Up gives a super- 
position of all cosets of Hq, 

Here Tq denotes a transversal for Hq in G. Applying, as the 
third operation, the Fourier transform on the first register 
produces the superposition 

^l^ol teTo 

= ^^(0,oFG|iJo))|pW) 



teTo 



Since the operator (j)t changes only phases and not am- 
plitudes, a measurement of (f)t\H^) gives the same proba- 
bility distribution on the possible outcomes as a measure- 
ment of I ) . It follows that the outcome z = A4i|5')isa 
random element of the orthogonal subgroup H^j- . This com- 
pletes our short proof of how the natural generalization of 
Simon's subroutine can be used to sample random elements 

The time needed to apply operator \Jc is equal to twice 
the time to compute plus the time to compute the func- 
tion p. By a result of Kitaev [|l6|, for all finite additive 
Abelian groups G, the Fourier transform Fq can be applied 
in polynomial time in log |G|. However, his method applies 
the transform not with perfection, but only with arbitrary 
good precision (see [|l6| for details). Yet, this suffices to 
imply a Z QT'-algorithm for the Abelian subgroup prob- 
lem. 

A direct generalization of our QT'-algorithm would 
require the solutions to two problems. 

The first problem is that we must be capable of comput- 
ing the Fourier transform Fq exactly. Cleve Jl^] and Cop- 
persmith [lis]], building on the work of Shor [|17[], showed 



that it can be applied exactly in polynomial time when- 
ever G is of smooth order Here the order of a group G 
is smooth if all its prime factors are at most log^ |G| for 
some fixed constant c. Thus, in that case we can also ap- 
ply XJg efficiently and exactly, assuming we are given a 
polynomial-time (in log |G|) algorithm to compute p. 

The second problem is how to make certain that we find 
larger and larger subgroups of ijj- at each iteration until we 
eventually have a generating set for H^. Suppose we have 
previously found the subset Y C and now we measure 
some element z e i7(f . For the group G = Z2 , we ensured 
in Section ij2, via Lemma |], that z is the zero element of G 
if Y generates , and otherwise z e ijj- \ (Y) is not 
generated by Y. Thus, in the latter case F U {z} generates a 
subgroup strictly larger than the one generated by Y itself. 

Lemma ^ implies that if we can find a function x de- 
fined on G such that x equals 1 on exactly half the elements 
of Hj^ and x is on the subgroup generated by F C 
then we can ensure that z is nonzero. We can show that 
this implication holds not only with the above fraction 1/2, 
but for any fraction 1/fc where k < log*^ |G| for some fixed 
constant c. 

We are currently investigating for which groups of 
smooth order we can find such a function x since this 
would solve the second problem. If, in addition, there is 
an efficient algorithm to compute x then this would imply a 
QT'-algorithm for the group under consideration. 

As our final example of generalizing our QT'-algorithm 
for Simon's subgroup problem, consider the discrete loga- 
rithm problem defined as follows. For every prime p, let 
Z* denote the multiplicative cyclic group of the positive 
integers smaller than p. The discrete logarithm problem is 
given p, a generator C of Z*, and an element a £ Z*, find 
< r < p such that C = a in Z*. 

Shor gave in [ |l7| ] a Z QT'-algorithm for this problem. 
In our language, his solution consists in a reduction to a 
problem equivalent to a special case of the Abelian sub- 
group problem, followed by an algorithm for that problem. 
Let G = Zp_ ^ and define function p : G — > Z* by 

for g = (31,32) G G. Let Hq G be the cyclic sub- 
group of order p — I generated by the element (r, — 1) — 
{r,p — 2). Then p is constant and distinct on each coset 
of Hq. The orthogonal subgroup H^ has also order p — 1 
and is generated by (1, r). It is now easy to see that the 
discrete logarithm problem reduces to finding the unique 
element ((71,32) G -^0" ^'^^ which 31 = 1. We can show 
that if we are given a quantum algorithm to compute Fp_i 
exactly then we can find that unique element in worst- 
case polynomial time (in logp) on a quantum computer. 



11 



Here Fp_i denotes the quantum Fourier transform for the 
cycHc group Zp_ i . 

Theorem 12 (QT'-algorithm for Discrete Logarithms) 

Let p be a prime and Q ^ "L^ be a generator. Then given a 
quantum algorithm to compute Fp_i exactly, there exists a 
QV-algorithm that, for all a G Z* , finds < r < p — 1 
such that — a in Z* . 

Let us end this paper by posing the open problem of find- 
ing a QT'-algorithm for prime factorization. 
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